Skip to content

ci: set permissions for GitHub actions#7291

Merged
briandealwis merged 2 commits intoGoogleContainerTools:mainfrom
turrisxyz:naveen/feat/set-perms-actions
Apr 13, 2022
Merged

ci: set permissions for GitHub actions#7291
briandealwis merged 2 commits intoGoogleContainerTools:mainfrom
turrisxyz:naveen/feat/set-perms-actions

Conversation

@neilnaveen
Copy link
Copy Markdown
Contributor

@neilnaveen neilnaveen commented Apr 12, 2022

@neilnaveen
Set permissions for GitHub actions
f95b65a 
- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

 Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
@neilnaveen neilnaveen requested a review from a team as a code owner April 12, 2022 13:11
@neilnaveen neilnaveen requested a review from briandealwis April 12, 2022 13:11
@google-cla
Copy link
Copy Markdown

google-cla bot commented Apr 12, 2022

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

For more information, open the CLA check for this pull request.

@MarlonGamez
Copy link
Copy Markdown
Contributor

MarlonGamez commented Apr 12, 2022

@neilnaveen this definitely seems like a good change, should we do this on all of our jobs? Or is this only applicable to the one job that you modified?

1 similar comment
@MarlonGamez
Copy link
Copy Markdown
Contributor

MarlonGamez commented Apr 12, 2022

@neilnaveen this definitely seems like a good change, should we do this on all of our jobs? Or is this only applicable to the one job that you modified?

@MarlonGamez MarlonGamez changed the title Set permissions for GitHub actions ci: set permissions for GitHub actions Apr 12, 2022
@neilnaveen
Copy link
Copy Markdown
Contributor Author

neilnaveen commented Apr 13, 2022

@neilnaveen this definitely seems like a good change, should we do this on all of our jobs? Or is this only applicable to the one job that you modified?

Probably yes, for now I was able to address this one. Thanks

briandealwis
briandealwis reviewed Apr 13, 2022
View reviewed changes
@briandealwis
Copy link
Copy Markdown
Member

briandealwis commented Apr 13, 2022

Thanks @neilnaveen for picking this up.

@MarlonGamez The other jobs have permissions: read-all.

@briandealwis
Copy link
Copy Markdown
Member

briandealwis commented Apr 13, 2022

@neilnaveen you'll need to sign the CLA

@neilnaveen @briandealwis
Update .github/workflows/verify-examples.yml
1ab611f 
Co-authored-by: Brian de Alwis <bsd@acm.org>
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 13, 2022
edited
Loading

Codecov Report

Merging #7291 (1ab611f) into main (290280e) will decrease coverage by 1.99%.
The diff coverage is 56.96%.

@@            Coverage Diff             @@
##             main    #7291      +/-   ##
==========================================
- Coverage   70.48%   68.49%   -2.00%     
==========================================
  Files         515      560      +45     
  Lines       23150    26507    +3357     
==========================================
+ Hits        16317    18155    +1838     
- Misses       5776     7096    +1320     
- Partials     1057     1256     +199
Impacted Files Coverage Δ
cmd/skaffold/app/cmd/deploy.go 52.00% <ø> (-1.85%) ⬇️
cmd/skaffold/app/cmd/dev.go 84.61% <0.00%> (ø)
cmd/skaffold/app/cmd/render.go 36.66% <0.00%> (-4.72%) ⬇️
cmd/skaffold/skaffold.go 0.00% <0.00%> (ø)
cmd/skaffold/app/cmd/inspect_tests.go 62.50% <14.28%> (-1.14%) ⬇️
cmd/skaffold/app/cmd/lsp.go 28.12% <28.12%> (ø)
cmd/skaffold/app/cmd/fix.go 68.85% <40.00%> (-7.62%) ⬇️
cmd/skaffold/app/cmd/lint.go 42.85% <42.85%> (ø)
cmd/skaffold/app/cmd/find_configs.go 48.88% <50.00%> (+0.24%) ⬆️
cmd/skaffold/app/skaffold.go 76.19% <70.00%> (-8.43%) ⬇️
... and 227 more

📣 Codecov can now indicate which changes are the most critical in Pull Requests. Learn more

@briandealwis briandealwis merged commit 0322adb into GoogleContainerTools:main Apr 13, 2022
bskaplan pushed a commit to bskaplan/skaffold that referenced this pull request Apr 26, 2022
@neilnaveen @bskaplan
ci: update permissions for verify-examples GitHub actions (GoogleCont…
a64d12a 
…ainerTools#7291)

Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@briandealwis briandealwis briandealwis approved these changes

Assignees

No one assigned

Labels

size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@neilnaveen @MarlonGamez @briandealwis